Policy interoperability in electronic signatures

Andreas Mitrakas

EESSI International event, Rome, 7 April 2003

Agenda

• Interoperability in 1999/93/EC

• Policy interoperability

• Format interoperability

• Content interoperability

• Aspects of Policy architecture

Scope of interoperability

• Policy interoperability is an issue broader than electronic signatures since it is often be linked to the underlying transaction

• Policy interoperability in electronic signatures can be addressed by:

• using international standards (e.g.: IETF)

• using European standards (e.g.: EESSI deliverables)

• using specific bilateral agreements

• Adhering to common operational rules

• etc

Standards OR agreement interoperability

Objective for policy interoperability

• Policy is used to adapt legal and business requirements in a particular operational context

• The objective for policy interoperability is to ensure the policy and liability conditions across multiple electronic signature infrastructures to establish Trust

• Equivalence must be established at the:• Technical

• Organisational/procedural

• Legal level

Liability rules + Policy limitations Limits of Trust

Interoperability

• Interoperability has become necessary to deliver e.g. trusted public services in the field of e.g. tax and customs, social security, exchanges between administrations etc.

• Interoperability and standards development are a priority for government and vendors

• It is further required to enhance application interoperability through:

• Specific rules in electronic document exchange to render electronic signature enforceable

(Policy) interoperability necessary for EU harmonisation

Directive 99/93/EC

Interoperability in 99/93/EC I

• 99/93/EC aims at harmonising the internal market and sets out interoperability objectives

• Coherence with existing international standards• IETF

• European standardisation

• Privacy Protection (art. 8)

Electronic signatures shall not make data mining easier!

Pseudonyms are explicitly permitted

Interoperability in 99/93/EC II

• EU Mutual recognition (art. 5)• A common framework of technical standards has been

developed by CEN/ISSS and ETSI in the EESSI framework

• 99/93/EC refers to such standards

• Multilateral co-operation among supervising authorities

• Legal relevance (art. 5)• Advanced signatures, created with a Secure signature

Creation Device for which a Qualified Certificate has been issued, are equal to handwritten signatures (5.1)

• To other legal relevance cannot be denied in principle

Policy Aspects

CP and CPS

• Typical electronic signature doctrine foresees: • A general framework for a CP & a CPSs for CAs and PKIs

• A checklist of topics to be covered in a certificate policy definition or a CPS

• Level of trust in a certificate depends on factors such as:• CA Practices to verify the identity of subjects’ identity

• CA’s operating policy, procedures, and security controls

• Subject’s obligations (e.g., to protect private key, revoke cert when compromised etc.)

• Warranties and obligations of the CA (e.g., warranties & limitations on liability)

Certificate Policy

• A Certificate Policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements

• High level document that describes the objectives of a PKI

• It refers to a group of domains rather than a single domain alone

• It is normative in a way that describes “what” to address in a PKI

• A Policy could be the scope of an application domain rather than a PKI domain

• Scope of the CP is to ascertain interoperability (if that is the goal)

• Hence a standardised format makes good sense (e.g. RFC 2527)

Certification Practice Statements (CPSs)

• A CPS is a detailed description of practices used by a CA to issue and manage certificates published by the CA

• According to American Bar Association (ABA) Digital Signature Guidelines,

• “a CPS is a statement of the practices which a CA employs in issuing and managing certificates”

• RFC 2527 gives a framework to support authors of CPs or CPS’

CPS content

• CPS is the main source of information on the provision of a CAs public and/or private certification services and related procedures

• User must view, read and accept the CPS prior to applying for a cert -- Is that real?

• CPS describes in great detail the practices and procedures it uses for issuing and managing certificates

• A CPS could be reviewed and audited periodically by a recognized auditor

RFC 2527 Update

Updated draft

• RFC 2527

• Describes a dynamic Certificate Policy Framework

• Encompasses experience from • application of the Framework since 1999

• PKI application

• better address legal requirements

• It also• Explains CP and CPS roles and differences better

• Explains better that framework can apply to all PKI entities: CA, RA, Repository, Subscribers, Relying Parties, Others

Evolution

• RFC 2527:

• Supports managed electronic signature policies

• Provides an education and training tool on electronic signature policies

• Shapes electronic signature policies to influence the growth of business and technology

• Is subjected to periodic review and updating

• Is a tool to develop and maintain electronic signature policies with a specific application domain or user community

Source

EU Directive 1999/93/EC “A Community Framework for Electronic Signatures”

Annex II: Requirements for CAs issuing qualified certificates

ETSI Policy Requirements for CAs Issuing Qualified Certificates

ETSITS 101 456

Directive 99/93/EC Annex II“Requirements forCertification Service Providers”

CA PracticesPolicy Standardse.g. RFC 2527,ANSI X9.29

EuropeanCSPAccreditationSchemes

CA QualifiedCertificate

Policy

input

ETSITS 101 042

CA genericCertificate

Policy

Qualified Certificate Policy framework

• Objectives

• QCP for CAs issuing qualified certificates to the public

• QCP for CAs issuing qualified certificates to the public requiring a secure signature creation device

• Framework for the definition of other CPs

• Set out objectives for CSPs that meet the requirements of the 99/93/EC and enhance interoperability

Issues of policy architecture

Interoperability models

Policy is essential for subscribers, relying parties and interoperability

Hierarchical model accepting subordination to another CAs policy

Cross-certificationCostly administrationAbsence of comprehensive standardsMultiple negotiations, varying contracts and agreements

Peer to peer trustSingle contracting partyWidely accepted and agreed standardsCustomizable chain of Trust

Policy driven interoperability

Fr CAIR CABologna

CARoma CAIL CA Sp CAUK CA

RootSign

Applicant

PAN-EUROPEAN CertificationAuthority

UKDirectory

ILDirectory

IRDirectory

SpDirectory

RomaDirectory

BolognaDirectory

FrDirectory

UK OCSPResponder

IR OCSPResponder

IL OCSPResponder

Sp OCSPResponder

RomeOCSP

Responder

BolognaOCSP

Responder

Fr OCSPResponder

Policy driven environment for•Accreditation

•Cross recognition

Contact Information

www.ubizen.com

andreas.mitrakas@ubizen.com